Tuesday, September 25, 2018

"Master Password" Is A Password Manager Alternative That Doesn't Store Passwords

https://www.linuxuprising.com/2018/09/master-password-is-password-manager.html


Master Password is a different way of using passwords. Instead of the "know one password, save all others somewhere" way of managing passwords used by regular password managers, Master Password's approach is "know one password, generate all the others".

Master Password desktop Java app

Master Password is free and open source, it doesn't store any passwords, it doesn't use cloud servers, and it only requires you to remember one password. It's available for Android, iOS, desktops, console and the web.

Instead of storing your passwords locally or in the cloud, Master Password calculates your passwords using a cryptographic algorithm. The application uses the user-name, master-password, site-name, site-counter and site-template values to calculate your password for a given website. As a result, it can retrieve your passwords without storing them anywhere.

Advantages of using Master Password instead of traditional password managers include:

  • Your passwords aren't stored anywhere, so you don't have to trust any third-party with your passwords (so there's no need to worry that some service you're using might get hacked or go down when you need it).
  • It doesn't matter if your device breaks or is stolen, you can use any device to find out your passwords.
  • You don't need to backup your passwords.
  • There's no need to keep your passwords in sync somewhere easily accessible.

There are a couple of downsides too though:

  • Since each password created using Master Password is derived from your master password (among others), if your master password is compromised or if you want to change it for whatever reason, you'll also need to change all your website passwords. So use a strong password (though that should always be the case).
  • If you need to change a website password (in case a website is hacked for example, and forces you to change the password), you'll need to increase the "Counter" value for that site settings in Master Password so it generates a new password, and remember to use the new counter value each time you use Master Password to calculate the password for that website. One way around this would be to store the counter value (and any other particularities you may use for some websites) somewhere.

Related: Bitwarden: The Secure, Open Source Password Manager You're Looking For

The Master Password Wikipedia page mentions that the algorithm uses scrypt, an intentionally slow key derivation function, for generating the master key, to make brute-force attacks unfeasible. The master key is a global 64-byte secret key generated from the user's secret master password and salted by their full name.

The master key, site name and the site counter are used to generate site-specific secrets / keys using the HMAC-SHA256 algorithm.

Read the Master Password FAQ for more information about its security.

It should also be noted that while Master Password can't autofill the login credentials in web browsers, there are third-party extensions that can do this. For example MasterPassword-Firefox  (also available for Chrome) can auto fill your username and password.

Using Master Password


While the Master Password web app doesn't store anything, and the Android app can only remember your name (I don't know about the iOS and Mac apps as I haven't tried them), the desktop Java application can save the names of the sites you've used in the past to make it easier to use them in the future. This is not required (you can check the Incognito box to not save the user to disk), and it's only to simplify the way you access the passwords.

The location to which the website names are saved is ~/.mpw.d. If you use multiple computers you could sync this using a service such as NextCloud, Dropbox, etc. to use it on multiple computers. The passwords are not stored here or anywhere else.

The Master Password desktop application uses Java so to run it, you'll need JRE. You can use either OpenJDK or Oracle Java. You can install OpenJDK 8 JRE in Debian, Ubuntu, elementary OS, Linux Mint and other Debian or Ubuntu-based Linux distributions by using this command:

sudo apt install openjdk-8-jre

You may also need to ,mark the downloaded masterpassword-gui.jar file as executable. You can do this using your file manager or by using this command (assuming you place the .jar file in your home directory):

chmod +x ~/masterpassword-gui.jar

To use the Master Password desktop (Java) application, double click the .jar file to launch it. Next, click the + icon on the left to add a new user to Master Password. Enter the full name (which you'll need to remember!) here, then click OK:

Master Password add user

Optionally you can check the Incognito box if you don't want to save the user to disk.

On the next screen you'll need to set a master password (which, just like the full name you entered in the previous step, you need to make sure you don't forget):

Master Password

It's now time to generate / calculate a password for a website. Let's say you want to get a password for your Twitter account. Type yourusername@twitter.com (using your actual Twitter username here) in the ... password for: field, then press the Enter key:

Master Password add website

I recommend using yourusername@twitter.com (replacing yourusername with your actual Twitter username) in case you have multiple accounts. Even if you don't have multiple accounts right now, you may create more in the future and this way you'll be able to differentiate between accounts. You could also use twitter.com only if you're sure you'll never create multiple accounts for this particular website.

As a recommandation, use the same format for each website. This way it will be easier to remember how you entered the website name. That's because you need to enter the website in the exact same way when you want to use Master Password to calculate your password (unless you only use the Master Password desktop application with the user saved to disk).

I suggest not entering mobile.twitter.com, http://twitter.com, https://www.twitter.com or some other variations, and just stick to a single format for this.

After a site is added, you can change its settings by clicking on the first icon from the top on the right-hand side of the application window:

Master Password site settings

From there you can change the algorithm, counter value, password type, login type, and enter an URL for a website. It's best to use defaults as much as possible, so you don't forget what settings you've used when you need to calculate the password.

When you want to use a password, select the entry / website you want in Master Password, then press the Enter key. When you do this, the password is automatically copied to your clipboard, and the Master Password application window is minimized.

If you want to calculate a password using an app that didn't store the name of the website, like the web app for example, you'll need to enter your full name, website name, counter value (if you've changed it from the default 1) and master password. Try it out - use the same details you've used in the desktop application, in the Master Password web app, and the calculated password should be the same.

Download Master Password



There are official Master Password applications for desktops (Java), macOS, Android, iOS, console and the web. You'll also find unofficial apps / extensions, like Master Password for Firefox or Chrome / Chromium browsers, another Master Password app for Android, and probably others.

The Master Password applications code is on GitLab, along with some more information.

No comments:

Post a Comment